Do I have to guard against SQL injection if I used a dropdown?

by

Yes you need to protect against this.

Let me show you why, using Firefox’s developer console:

i've edited one of the values in the dropdown to be a drop table statement

If you don’t cleanse this data, your database will be destroyed. (This might not be a totally valid SQL statement, but I hope I’ve gotten my point across.)

Just because you’ve limited what options are available in your dropdown does not mean you’ve limited the data I can send your server.

If you tried to restrict this further using behaviour on your page, my options include disabling that behaviour, or just writing a custom HTTP request to your server which imitates this form submission anyway. There’s a tool called curl used for exactly that, and I think the command to submit this SQL injection anyway would look something like this:

curl --data "size=%27%29%3B%20DROP%20TABLE%20*%3B%20--"  http://www.example.com/profile/save

(This might not be a totally valid curl command, but again, I hope I’ve gotten my point across.)

So, I’ll reiterate:

NEVER trust user input. ALWAYS protect yourself.

Don’t assume any user input is ever safe. It’s potentially unsafe even if it arrives through some means other than a form. None of it is ever trustworthy enough to forgo protecting yourself from SQL injection.

More Related Contents:

  1. Save the data into a database and return another value from database using PHP
  2. inserting information and image in php and mysql
  3. mysqli or die, does it have to die?
  4. How to check if a row exists in MySQL? (i.e. check if username or email exists in MySQL)
  5. How to change mysql to mysqli?
  6. Is “mysqli_real_escape_string” enough to avoid SQL injection or other SQL attacks?
  7. Reference: What is a perfect code sample using the MySQL extension? [closed]
  8. MySQL vs MySQLi when using PHP [closed]
  9. Best way to INSERT many values in mysqli?
  10. How to get count of rows in MySQL table using PHP?
  11. MySQLi prepared statements error reporting [duplicate]
  12. Correct way to use LIKE ‘%{$var}%’ with prepared statements?
  13. Why is mysqli giving a “Commands out of sync” error?
  14. Warning: mysqli_connect(): (HY000/2002): No such file or directory
  15. How can I enable the MySQLi extension in PHP 7?
  16. mysqli_stmt::bind_param(): Number of elements in type definition string doesn’t match number of bind variables
  17. Using Mysqli bind_param with date and time columns?
  18. Using MySQLi from another class in PHP
  19. How do I display a MySQL error in PHP for a long query that depends on the user input? [duplicate]
  20. MySQL Prepared Statements
  21. PHP PDO and MySQLi [duplicate]
  22. PHP + MySql + Stored Procedures, how do I get access an “out” value?
  23. Is mysqli_real_escape_string safe?
  24. php password_verify() hash and pass won’t match
  25. Get number of rows matched by UPDATE query with PHP mysqli
  26. How to use mysqli_query() in PHP?
  27. PHP to MySQL SSL Connections
  28. Strange problem with the length of the field gotten from database [duplicate]
  29. PHP prepared statements and transactions in a loop [duplicate]
  30. Mysqli multiple row insert, simple multi insert query [duplicate]

Leave a Comment